Software is obtained from trusted sources and integrity is verified

Implementation steps

1. 1

   Establish policies for approved software sources

   Define a list of approved software sources for your organization: official vendor sites, approved package registries such as npm or PyPI, and internal artifact repositories. Prohibit installing software from unofficial sources. For development teams, configure package managers to pull from an internal proxy or approved registry that is scanned for malicious packages.

   jfrog-artifactory sonatype-nexus aws-codeartifact github-packages verdaccio
2. 2

   Verify integrity using checksums and code signatures before installation

   For software downloaded from vendor sites, verify the published SHA-256 or SHA-512 checksum against the downloaded file before installation. For software packages, use signature verification where available. In CI/CD pipelines, pin dependencies to specific digests rather than mutable version tags so that a compromised upstream package cannot silently replace a pinned version.

   github-actions sigstore cosign in-toto gitlab-ci
3. 3

   Generate and maintain a software bill of materials for key systems

   A software bill of materials (SBOM) is a machine-readable list of all components in a software artifact. Generate SBOMs for your critical applications and store them in a central repository. Use the SBOM to quickly identify which applications are affected when a new CVE is published for a specific library. SBOM generation can be integrated into your build pipeline.

   syft cyclonedx snyk github-dependency-graph anchore

Evidence required